webbrowser module + urls ending in .py = a security hole?

Mon Jan 30 19:25:10 EST 2006

On 30 Jan 2006 14:39:29 -0800, "Paul Boddie" <paul at boddie.org.uk> wrote:

>Peter Hansen wrote:
>>
>> I'd agree.  I suspect this ought to be reported as a security flaw,
>> though it would be nice to know what the fix should be before doing so.
>>   Anyone know a more suitable approach on Windows than just passing
>> things off to startfile()?
>
>I wouldn't mind knowing if os.startfile is the best way to open
>resources on Windows, and whether there's a meaningful distinction
>between opening and editing resources that is exposed through an
>existing Python library. My interest is in making the desktop module a
>useful successor to webbrowser:
>
>http://www.python.org/pypi/desktop
>
>Of course, since desktop.open leaves the exact meaning of "to open" to
>the user's desktop configuration, if that configuration then causes a
>Python program to be executed without some kind of confirmation,
>there's a fairly good argument for claiming that the configuration is
>broken - yes, it's the classic Microsoft convenience vs. security
>dilemma, circa 1998.
>
>For webbrowser, the opportunity to move blame to the user's environment
>is somewhat reduced, since the expectation of "browsing" a Python
>program would often be to show the text of that program. Given that
>webbrowser, in order to do its work, may rely on some environment
>mechanism that doesn't have the same view of "browsing" programs, there
>is a good argument for decoupling the module from those mechanisms
>entirely, although I can imagine that the resulting code would struggle
>even then to do the right thing.
>
I suppose a desktop config file with a sequence of regex patterns and associated defined actions
could dispatch urls to shell, browser, or custom app as desired, overriding
registry and/or browser settings by being first to decide. E.g., config might
have CSV-style command,params,... lines like

define,editor,C:\WINNT\system32\vimr.cmd "%1"
define,browser,D:\MOZ\MOZILL~1\MOZILL~1.EXE -url "%1"
define,savedialog,C:\util\savedialog.cmd "%1"
urlfilter,r'(?i)(\.py$|\.pyw|.\txt)$',editor
urlfilter,r'(?i)(\.htm[l]?|\.jpg|\.gif|\.png|\.pdf)$',browser
urlfilter.r'(?i).*',savedialog

(I think this is more generally powerful than typical .INI file structure,
since you can define a very simple interpreter to do about anything with the
CSV data rows in order, including nesting things, if you make commands
that enter and exit nests. E.g.,
pushdir,c:\tmp\foo
...
popdir
log,file,c:\temp\foo\log.txt
log,on
...
log,off

etc. etc)
Of course, you can jigger an INI file to contain any info you want also,
even using the windows {Get,Write}PrivateProfile{String,Int,Section,SectionNames}
API functions, which like many MS APIs IME of yore seem to work simply if you conform to
their usage preconceptions, but punish you with info discovery hell otherwise ;-)

Regards,
Bengt Richter